Fix flatpak permissions

2025-02-03 21:38:42 +01:00 · 2023-12-26 20:49:47 +01:00 · 2023-12-26 20:49:47 +01:00 · 5829f1a797
commit 5829f1a797
parent e675703c35
8 changed files with 142 additions and 55 deletions
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -1,6 +1,3 @@
-# This workflow will build a golang project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
-
 name: Go

 on:
@ -9,29 +6,60 @@ on:
  pull_request:
    branches: [ "main" ]

+env:
+  GO_VERSION: '1.20'
+
 jobs:
-  linux:
+  build_linux_x86_64:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Set up Go
      uses: actions/setup-go@v4
      with:
-        go-version: '1.20'
+        go-version: ${{ env.GO_VERSION }}
    - name: Install libfido2-dev
      run: sudo apt-get install -y libfido2-dev
-    - name: Install gio dependencies
-      run: sudo apt-get install -y gcc pkg-config
-    - name: Build 
-      run: go build -v .
-    - name: Test
-      run: go test -v .
+    - name: Build
+      run: go build -o goldwarden_linux_x86_64 -v .
    - uses: actions/upload-artifact@v3
      with:
-        name: goldwarden-linux
-        path: ./goldwarden
+        name: goldwarden_linux_x86_64
+        path: ./goldwarden_linux_x86_64

-  macos:
+  build_linux_arm64:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Install libfido2-dev
+      run: sudo apt-get install -y libfido2-dev
+    - name: Build
+      run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v .
+    - uses: actions/upload-artifact@v3
+      with:
+        name: goldwarden_linux_arm64
+        path: ./goldwarden_linux_arm64
+
+  build_linux_x86:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Build
+      run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v .
+    - uses: actions/upload-artifact@v3
+      with:
+        name: goldwarden_linux_x86
+        path: ./goldwarden_linux_x86
+
+  build_macos_x86_64:
    runs-on: macos-latest
    steps:
      - name: Checkout
@ -39,17 +67,15 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v4
        with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
      - name: Build 
-        run: go build -tags "nofido2" -v .
-      - name: Test
-        run: go test -tags "nofido2" -v .
+        run: go build -tags "nofido2" -o "goldwarden_macos_x86_64" -v .
      - uses: actions/upload-artifact@v3
        with:
-          name: goldwarden-macos
-          path: ./goldwarden
-
-  windows:
+          name: goldwarden-macos_x86_64
+          path: ./goldwarden_macos_x86_64
+    
+  build_windows_x86_64:
    runs-on: windows-latest
    steps:
      - name: Checkout
@ -57,12 +83,10 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v4
        with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
      - name: Build 
-        run: go build -tags "nofido2" -v .
-      - name: Test
-        run: go test -tags "nofido2" -v .
+        run: go build -tags "nofido2" -o "goldwarden_windows_x86_64.exe" -v .
      - uses: actions/upload-artifact@v3
        with:
-          name: goldwarden-windows.exe
-          path: ./goldwarden.exe
+          name: goldwarden-windows_x86_64.exe
+          path: ./goldwarden_windows_x86_64.exe
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -6,6 +6,9 @@ permissions:
    contents: write
    packages: write

+env:
+  GO_VERSION: '1.20'
+
 jobs:
  build_linux:
    runs-on: ubuntu-latest
@ -15,19 +18,14 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v4
      with:
-        go-version: '1.20'
-
+        go-version: ${{ env.GO_VERSION }}
    - name: Install libfido2-dev
      run: sudo apt-get install -y libfido2-dev
-    - name: Build with All features
+    - name: Build
      run: go build -o goldwarden_linux_x86_64 -v .
-    - name: Build minimal x86 featureset
-      run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v .
-    - name: Build minimal arm64 featureset
-      run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v .
    - uses: AButler/upload-release-assets@v2.0
      with:
-        files: './goldwarden_linux_x86_64;./goldwarden_linux_x86;./goldwarden_linux_arm64'
+        files: './goldwarden_linux_x86_64'
        repo-token: ${{ secrets.GITHUB_TOKEN }}
    - name: Validate ArchLinux PKGBUILD
      uses: hapakaien/archlinux-package-action@v2
@ -46,7 +44,6 @@ jobs:
        ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
        commit_message: Update AUR package from GitHub Actions automation
        ssh_keyscan_types: ed25519
-
    - name: Move binaries to directories
      run: |
        mkdir -p .debpkg/usr/bin
@ -57,7 +54,6 @@ jobs:
        mkdir -p .rpmpkg/usr/share/polkit-1/actions/
        cp -p resources/com.quexten.goldwarden.policy .debpkg/usr/share/polkit-1/actions/
        cp -p resources/com.quexten.goldwarden.policy .rpmpkg/usr/share/polkit-1/actions/
-
    - uses: jiro4989/build-deb-action@v3
      with:
        package: goldwarden
@ -70,7 +66,6 @@ jobs:
      with:
        files: './*.deb'
        repo-token: ${{ secrets.GITHUB_TOKEN }}
-
    - uses: jiro4989/build-rpm-action@v2
      with:
        summary: 'Goldwarden'
@ -88,6 +83,37 @@ jobs:
        files: './*.rpm'
        repo-token: ${{ secrets.GITHUB_TOKEN }}

+  build_linux_arm64:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Build
+      run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v .
+    - uses: AButler/upload-release-assets@v2.0
+      with:
+        files: './goldwarden_linux_arm64'
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+  build_linux_x86:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Build
+      run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v .
+    - uses: AButler/upload-release-assets@v2.0
+      with:
+        files: './goldwarden_linux_x86'
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+
  build_macos_x86_64:
    runs-on: macos-latest
    steps:
--- a/agent/systemauth/biometrics/polkit.go
+++ b/agent/systemauth/biometrics/polkit.go
@ -63,7 +63,19 @@ func CheckBiometrics(approvalType Approval) bool {

 	if err != nil {
 		log.Error("Failed to create polkit authority: %s", err.Error())
-		return false
+		log.Info("Falling back to pkexec permissions")
+		result, err = authority.CheckAuthorization(
+			"org.freedesktop.policykit.exec",
+			nil,
+			uint32(polkit.AuthenticationRequiredRetained), "",
+		)
+		if err != nil {
+			log.Error("Failed to create polkit authority: %s", err.Error())
+			return false
+		}
+
+		log.Info("Biometrics result: %t", result.IsAuthorized)
+		return result.IsAuthorized
 	}

 	log.Info("Biometrics result: %t", result.IsAuthorized)
@ -100,5 +112,13 @@ func BiometricsWorking() bool {
 		}
 	}

+	testFor = "org.freedesktop.policykit.exec"
+	for _, action := range result {
+		if Approval(action.ActionID) == testFor {
+			log.Warn("Only pkexec permissions found, consider installing polkit policies")
+			return true
+		}
+	}
+
 	return false
 }
--- a/com.quexten.Goldwarden.yml
+++ b/com.quexten.Goldwarden.yml
@ -4,16 +4,25 @@ runtime-version: '45'
 sdk: org.gnome.Sdk
 command: main.py
 finish-args:
-  - --share=ipc
+  # Allow network access for sync
  - --share=network
+
+  # GUI
+  - --share=ipc
  - --socket=wayland
  - --socket=fallback-x11
  - --device=dri
-  # - --filesystem=home
-  - --filesystem=host
-  # polkit & locking.. should filter this later on
-  - --socket=session-bus
-  - --socket=system-bus
+
+  # Lock on screensave
+  - --talk-name=org.gnome.ScreenSaver
+  - --talk-name=org.freedesktop.ScreenSaver
+
+  # Home directory access to setup browser ipc
+  - --filesystem=home
+  # pinentry & approval
+  - --talk-name=org.gnome.keyring.SystemPrompter
+  # biometric / user password auth
+  - --system-talk-name=org.freedesktop.PolicyKit1
 modules:
  - name: goldwarden
    buildsystem: simple
--- a/ui/autofill.py
+++ b/ui/autofill.py
@ -104,5 +104,5 @@ class MainWindow(Gtk.ApplicationWindow):
        self.set_default_size(700, 700)
        self.set_title("Goldwarden")

-app = MyApp(application_id="com.quexten.Goldwarden.autofill")
+app = MyApp(application_id="com.quexten.Goldwarden.autofill-menu")
 app.run(sys.argv)
--- a/ui/main.py
+++ b/ui/main.py
@ -30,8 +30,14 @@ def run_daemon():
    # todo: do a proper check
    if is_hidden:
        time.sleep(20)
+    print("IS daemon running", goldwarden.is_daemon_running())
    if not goldwarden.is_daemon_running():
+        print("running daemon")
        goldwarden.run_daemon()
+        print("daemon running")
+
+thread = Thread(target=run_daemon)
+thread.start()

 def on_autofill():
    subprocess.Popen(["python3", "/app/bin/autofill.py"], start_new_session=True)
--- a/ui/monitors/dbus_autofill_monitor.py
+++ b/ui/monitors/dbus_autofill_monitor.py
@ -6,22 +6,21 @@ import dbus
 import dbus.service
 from dbus.mainloop.glib import DBusGMainLoop
 from threading import Thread
-import gi.repository.GLib

 on_autofill = lambda: None

 class GoldwardenDBUSService(dbus.service.Object):
    def __init__(self):
-        bus_name = dbus.service.BusName('com.quexten.goldwarden', bus=dbus.SessionBus())
-        dbus.service.Object.__init__(self, bus_name, '/com/quexten/goldwarden')
+        bus_name = dbus.service.BusName('com.quexten.Goldwarden.autofill', bus=dbus.SessionBus())
+        dbus.service.Object.__init__(self, bus_name, '/com/quexten/Goldwarden')

-    @dbus.service.method('com.quexten.goldwarden.Autofill')
+    @dbus.service.method('com.quexten.Goldwarden.Autofill')
    def autofill(self):
        on_autofill()
        return ""

 def run_daemon():
-    mainloop = DBusGMainLoop(set_as_default=True)
+    DBusGMainLoop(set_as_default=True)
    service = GoldwardenDBUSService()
-    mloop = gi.repository.GLib.MainLoop()
-    mloop.run()
+    from gi.repository import GLib, GObject as gobject
+    gobject.MainLoop().run()
--- a/ui/settings.py
+++ b/ui/settings.py
@ -9,10 +9,13 @@ from gi.repository import Gtk, Adw, GLib
 import goldwarden
 from threading import Thread

+hidden = False
+
 class SettingsWinvdow(Gtk.ApplicationWindow):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

+        print("init settings window")
        self.stack = Gtk.Stack()
        self.stack.set_transition_type(Gtk.StackTransitionType.SLIDE_LEFT_RIGHT)
        self.set_child(self.stack)
@ -156,7 +159,6 @@ class MyApp(Adw.Application):
        self.settings_win = SettingsWinvdow(application=app)
        self.settings_win.present()

-app = MyApp(application_id="com.quexten.Goldwarden")

 def show_login():
    dialog = Gtk.Dialog(title="Goldwarden")
@ -218,4 +220,5 @@ def show_login():
    dialog.set_modal(True)
    dialog.present()

+app = MyApp(application_id="com.quexten.Goldwarden.settings")
 app.run(sys.argv)